Defense Department’s Cyberwar Credibility Gap

Undersecretary of Defense William J. Lynn has published an essay in Foreign Affairs magazine redefining the United States’ stance towards cyberwarfare, and he’s already getting shot at – primarily by IT pundits who find it hard to believe that the incident which led to the Pentagon’s recognizing cyberspace as a new “domain of warfare” could have really happened as described.

In his essay, “Defending a New Domain,” Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by “a foreign intelligence agency.”

Critics such as IT security firm Sophos’ Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn’t stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows “autorun” feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec.

Use of agent.btz Questioned

The question posed by Wisniewski and others is, why would a foreign intelligence agency attack the U.S. government with such a low-powered weapon? While making it clear that he has no insider knowledge of the incident, Wisniewski argues that the scenario put forth by Lynn isn’t credible. In his words, “Either it wasn’t put there by a foreign government or it wasn’t agent.btz.”

Tom Conway, security firm McAfee’s Director of Federal Business Development, doesn’t find it difficult to believe that a foreign government would make use of agent.btz. “Why reveal your trade craft if something that’s widely available on the black market will do the job?” he asks. He is, however, very concerned about what the attack revealed about the state of U.S. military security. “One, the fact that the network was vulnerable shows a lack of governance. Two, it shows that classified information is at risk, not just unclassified. Three, it shows that our adversaries are aware of One and Two.”

When interviewed by the influential security blog Danger Room, Lynn refused to provide any details about the incident or to discuss any retaliatory measures that might have been taken.

An Evolving U.S. Policy

The question of whether the 2008 hack is to become the Tonkin Gulf of cyberspace has to some extent overshadowed the content of the article, which is significant as a new framing of the Obama administration’s cyberspace policy.

The essay characterizes the threat to U.S. interests as “asymmetrical,” a military term of art that is used to describes conflicts such as the one now taking place in Afghanistan, where skirmishes against guerrilla forces replace conventional battles, and where the enemy may make up for what it lacks in numbers and firepower with agility and cunning. The deterrence models of the Cold War – assured retaliation – do not apply. Rather, “Deterrence will necessarily be based more on denying any benefit to attackers.” Targets may be non-military, such as U.S. power grids, transportation networks and financial systems.

To combat cyber threats, Lynn has ordered the creation of a single, four-star command, the U.S. Cyber Command, which is to become fully operational by October. The new command will have responsibility for day-to-day protection of defense networks, and will work with “a variety of partners” inside and outside the U.S. Government, including the FBI, the Department of Homeland Security, the Justice Department and the Defense Information Systems Agency.

The Pentagon has already deployed three overlapping lines of defense: a new emphasis on basic computer hygiene (e.g. updating patches promptly), the use of intrusion detection sensors, and the use of government intelligence capabilities to provide “highly specialized active defenses.”

Lynn also calls for “dramatic improvements in the government’s procedures of acquiring information technology.” At present, the time from funding to deployment of a new government IT system averages 81 months, which is obviously too slow to keep up with the pace of technology.